#!/bin/bash

echo_red() {
    echo -e "\033[31;40m$1\033[0m"
}

download_busybox() {
    if [ ! -f ./busybox ] ; then
        wget https://www.busybox.net/downloads/binaries/1.36.1-x86_64-linux-musl/busybox \
            -O busybox --connect-timeout 2
    fi
    if [ -f ./busybox ] ; then
        chmod +x ./busybox
        alias cat='./busybox cat'
        alias find='./busybox find'
        alias grep='./busybox grep'
        alias sed='./busybox sed'
        alias awk='./busybox awk'
        alias ls='./busybox ls'
        alias stat='./busybox stat'
        alias ip='./busybox ip'
        alias netstat='./busybox netstat'
        alias ps='./busybox ps'
        alias top='./busybox top'
        alias w='./busybox w'
        alias who='./busybox who'
        alias whoami='./busybox whoami'
        alias md5sum='./busybox md5sum'
        alias sha1sum='./busybox sha1sum'
        alias sha256sum='./busybox sha256sum'
    fi
}

update_env() {
    if [ -f /usr/bin/dnf ] ; then
        dnf -y update
    elif [ -f /usr/bin/yum ] ; then
        yum -y update
    elif [ -f /usr/bin/apt ] ; then
        apt -y update && apt -y upgrade
    fi
}

# ------------

if [ $UID -ne 0 ] ; then
    echo_red "请以root权限运行"
    exit 1
fi

echo "--- 正在执行操作系统基线检查 ---"
echo

# 如果可能，下载busybox代替部分系统命令，避免二进制文件劫持
download_busybox

echo "--- 检查OS发行版本 ---"
echo "当前操作系统为：$(cat /etc/os-release | grep PRETTY_NAME | cut -d = -f 2)"
[ -f /usr/sbin/getenforce ] && echo "SELinux状态: $(getenforce)"
[ -f /usr/bin/timedatectl ] && echo "当前时区：$(timedatectl show | grep Timezone | cut -d = -f 2)"
echo

echo "--- 检查CPU信息 ---"
grep "model name" /proc/cpuinfo | awk '{print $4,$5,$6}'
echo
echo "--- 检查内存信息 ---"
grep "MemTotal" /proc/meminfo
grep "SwapTotal" /proc/meminfo
if [ $(grep "MemFree" /proc/meminfo | awk '{print $2}') -lt 1024000 ]; then
    echo_red "警告：空余内存小于1G"
fi
if [ $(grep "SwapTotal" /proc/meminfo | awk '{print $2}') -lt 1024000 ]; then
    echo_red "警告：空余交换分区小于1G"
fi
echo
echo "--- 检查磁盘信息 ---"
df -h -x tmpfs -x devtmpfs -x overlay --output=target,source,size,pcent
echo

echo "--- 检查本机网络地址信息 ---"
ip -4 -o address | awk '{print $2,$4}'
echo
echo "--- 检查本机DNS信息 ---"
[ -f /etc/resolv.conf ] && cat /etc/resolv.conf | grep '^nameserver'
echo
echo "--- 检查本机NTP信息 ---"
if [ -f /etc/chrony.conf ] ; then
    cat /etc/chrony.conf | grep '^server'
elif [ -f /etc/ntp.conf ] ; then
    cat /etc/ntp.conf | grep '^server'
fi
echo
echo "--- 检查本机网络端口信息 ---"
command -v netstat >/dev/null 2>&1
if [ $? -eq 0 ] ; then
    netstat -ntulp
fi
echo 

echo "--- 检查系统用户 ---"
cat /etc/passwd | while read line
do
    U_NAME=$(echo "$line" | cut -d : -f 1)
    U_UID=$(echo "$line" | cut -d : -f 3)
    U_GID=$(echo "$line" | cut -d : -f 4)
    U_HOME=$(echo "$line" | cut -d : -f 6)
    U_SHELL=$(echo "$line" | cut -d : -f 7)

    [ $U_UID -eq 0 -o $U_GID -eq 0 ] && echo_red "发现特权用户 $U_NAME"

    if [[ "$U_SHELL" != "/sbin/nologin" ]] && [[ "$U_SHELL" != "/bin/sync" ]] && \
        [[ "$U_SHELL" != "/sbin/halt" ]] && [[ "$U_SHELL" != "/sbin/shutdown" ]] ; then
        echo_red "发现允许登录用户 $U_NAME"
        if [ -f $U_HOME/.rhosts -o -f $U_HOME/.netrc -o  -f $U_HOME/hosts.equiv ] ; then
            echo_red "发现危险用户 $U_NAME"
        fi
    fi
done
echo
echo "--- 检查可提权用户sudoers ---"
cat /etc/sudoers | grep -Ev '^$|#|Defaults'
echo
echo "--- 获取用户登录记录 ---"
lastlog | grep -v "**Never logged in**"
echo
echo "--- 获取SSH登录记录 ---"
if [ -f /var/log/secure ] ; then
    sshlog=/var/log/secure
elif [ -f /var/log/auth.log ] ; then
    sshlog=/var/log/auth.log
fi
if [ -f "$sshlog" ] ; then
    echo "最近5次成功登录"
    cat "$sshlog" | grep 'Accepted.*for' | tail -5 | awk '{print $1,$2,$3,$5,$9,$11}'
    echo "最近5次失败登录"
    cat "$sshlog" | grep 'Failed.*for' | tail -5 | awk '{print $1,$2,$3,$5,$9,$11}'
fi
echo

echo "--- 检查计划任务信息 ---"
crontab -l
echo 
echo "--- 检查最耗CPU资源的5个进程 ---"
ps aux --sort=%cpu | head -6
echo 
echo "--- 检查最耗内存资源的5个进程 ---"
ps aux --sort=%mem | head -6
echo

echo "--- 检查当前用户操作情况 ---"
w
echo

echo "--- 检查其他安全隐患 ---"
[ -n "$LD_PRELOAD" ] && echo_red "存在可疑链接库劫持"
F_LD_PRELOAD=/etc/ld.so.preload
if [ -s "$F_LD_PRELOAD" ] ; then
    echo_red "请核查以下可疑文件"
    cat "$F_LD_PRELOAD"
fi
echo

read -p "Press [Y/N] key to update os..." ENV_INIT
ENV_INIT=${ENV_INIT:-Y}
[ $ENV_INIT == "Y" -o $ENV_INIT == "y" ] && update_env

echo "--- 检查完成，谢谢使用！ ---"